Data Processing & Subprocessors
Effective 23 April 2026. Operated by Brian Kinane T/A SetupPasskeys.com, Ireland. Controller/DPO contact: privacy@setuppasskeys.com.
1. Roles & scope
When you ("Customer") use SetupPasskeys as a paid product, Customer is the data controller of end-user (your employees') personal data that passes through the service. SetupPasskeys acts as the data processor on Customer's behalf and processes that data only for the purposes of:
- Serving the branded passkey-setup guide to Customer's employees;
- Providing analytics on guide usage back to Customer admins;
- Billing, support, and service improvement.
SetupPasskeys does not sell, share, or use Customer end-user data for advertising, marketing, or training machine-learning models.
2. Categories of data processed
- Customer admin accounts — email address, hashed password (or SSO identifier), session tokens, timestamps.
- End-user guide visits — IP address (hashed with a daily-rotating salt before storage), user-agent, detected vendor/device, referrer. No name, email, or user identifier is collected or linked.
- Organisation configuration — branding (logo URL, colour, org name), passkey policy, support URL, UPN format hints.
- Billing — org/admin email, Stripe customer ID, subscription status. Payment card data is processed directly by Stripe; SetupPasskeys never receives or stores card numbers.
3. Subprocessors
We use the following third-party processors to deliver the service. Customer data is processed under each provider's DPA (links below). Notice of any addition or replacement will be given at least 30 days in advance by email to Customer's registered admin address.
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Vercel Inc. | Hosting, CDN, edge functions | All traffic + API requests | EU + US |
| Supabase Inc. | Managed Postgres, authentication, storage | Admin accounts, org config, analytics | EU (Ireland region) |
| Stripe Payments Europe Ltd. | Payment processing, subscription billing | Billing email, subscription status, payment methods | EU + US |
| Resend Inc. | Transactional email (welcome, trial reminders, billing notices) | Admin email address, email content | EU + US |
| Microsoft Corporation | Outbound identity-provider branding lookup (Entra ID tenant) — Customer domain only, no personal data | Public Entra tenant metadata | Global |
| Google LLC (Gemini API) | AI screenshot diagnosis (only invoked when an end-user uploads a screenshot to troubleshoot a stuck passkey registration) | User-uploaded screenshot bytes + textual context. PII tokens (emails, phones, long ID strings) are scrubbed from response text server-side; image bytes are not retained by Google for training per Gemini API enterprise terms. | EU + US |
| Google LLC (Public DNS) | DNS-over-HTTPS MX-record verification for prospect-domain qualification | Customer-supplied prospect domain only. No personal data. | Global |
4. International transfers
Data primarily resides in the EU. Where subprocessors operate outside the EEA (notably Vercel and Stripe, which route through US infrastructure), transfers are made under the EU Commission's Standard Contractual Clauses (Module 2) and, where applicable, under the EU-US Data Privacy Framework.
5. Security
- TLS 1.2+ for all traffic in transit.
- Postgres data encrypted at rest (AES-256) by Supabase.
- End-user IP addresses stored only as a hashed fragment with a daily-rotating salt, making re-identification infeasible after ~24 hours.
- Row-level security on the database — admin accounts can only read their own organisation's data.
- Super-admin access restricted to a named allow-list of employee email addresses.
- Passwords hashed with bcrypt via Supabase auth; we never see plaintext.
6. Data retention
- Active organisations: data retained for the duration of the subscription.
- Cancelled organisations: hard-deleted on cancellation; backups purged within 30 days.
- Hashed visit logs: purged after 12 months.
- Billing records: retained for 7 years per Irish tax law (Stripe is the primary custodian).
7. Subject rights
End users (Customer's employees) should direct access / rectification / erasure requests to Customer, who is the controller. SetupPasskeys will assist Customer in fulfilling such requests at no additional cost. Customer admins can delete their own admin account (including all processed data) at any time from the Account settings panel in the admin portal.
8. Breach notification
SetupPasskeys will notify Customer without undue delay, and in any case within 72 hours of becoming aware, of any personal-data breach affecting Customer's data. Notification will be sent to the primary admin email on file.
9. Requesting a signed DPA
For enterprise customers that require a countersigned document (healthcare, finance, public sector, regulated industries), email legal@setuppasskeys.com with:
- Your organisation's legal name and registered address;
- The signatory's name and title;
- Any specific regulatory context (e.g. HIPAA BAA, ISO-27001 addendum).
We turn around most DPAs in 1–2 business days. Our standard template is based on the EU Commission Standard Contractual Clauses (Module 2: controller → processor).
Questions? Email privacy@setuppasskeys.com. See also our privacy policy and terms of service.